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The invention relates to a method of and device for granting access to content 
on a storage medium in which cryptographic data used in detemaimng whether access should 
be granted is obtained fiom a property of the storage medium. 

The invention fiirfher relates to a playback and/or recoiling 
S comprising such a device, axid to a computer program product arranged to cause a processor 
to execute the method according to the invention. 

To protect content on storage media like CDs, DVDs and so on against 

10 unauthorized copying, the content is often stored in an encrypted fashion. This means that an 
authorized playback apparatus needs to be able to obtain the necessary decryption keys, 
preferably in such a way that unauthorized playback apparatos cannot obtain these keys: 
Typically these decryption keys are generated £rom data hidden on the storage tneHinm^ . 
preferably together with data hidden in the player. Authorized play&rs are provided with such 

IS data during manufiu^ure. This system is used for instance fw 

In the above a cloning attack is possible in which the encrypted content and 
the decryption data hidden on the storage medium can be copied as a whole onto a second 
storage medium. Protection against such a cloning attack can be achieved by hiding the 
decryption data in the disc itssel:^ rather than by storing it as data on the storage medium. One 

20 way to do tiiis is tiirough the use of a so-called ^ Vobble". The decryption data is obtained 
fiom the storage medium as variations in a physical parameter of the storage medium. 
Different media will have a different wobble or no wobble at all, so a different decryption 
key will be generated for that disc, which means that decryption of the content will feil. 
Reference is made to US patent 5,724,327 (attomey docket PHN 13922) to the same assignee 

25 as the present invention which describes various techniques to create such a ^Nvobble'' and to 
store information in it 

Natural aberrations that occur in the pressing process of recordable CD or 
DVD discs can be used to create a cryptographic key to encrypt the content that will be 
recorded on these discs. Reference is made to EP-A-0 706 174 for an exainple of using 
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natural properties of a disc to generate a unique identifier. A known problem in such an 
approach is that small deviations in the measurement of the physical properties can lead to 
the wrong key. Usually this is avoided by not vising natural iwroperties, but intentionalty 
made, and rehably measurable identifiers. Reference is made to US Patent 6,209,092 
5 (attorney docket PHN 16372) to the same assignee and same inventor as the present 
invention which describes a technique for deriving a cryptographic identifier fi»m 
intenfionaHy written supplementaiy data. This requires extra processmg of the disc, making 
the process more complicated and more expensive. 



It is an object of the present invention to provide a method according to tiie 
preamble, which tolerates small deviations in tiie measured value of the property of Ihe 
storage medium. 

This object is achieved according to the invention in a method comprismg 

15 obtaining cryptogr^hic data firom a property of the storage medium, reading helper data 
fiom the storage medium, and granting the access based on an application of a delta- 
contracting function to the cryptographic data and the helper data. 

A delta-contracting function is a function which has a primary kspvA (the 
cryptogr^hic date), a secondary input (the helper data) and which generates ou^ut based on 

20 the primary and secondary inputs. The secondary iiqwit is a control input m tiie sense that it 
defines ranges of values for tiie prhnary input signal and the correspondmg ou^ut value for 
each range of primary iiqmt values. 

More precisely, for any arbitrary origmal primary input value, the delta- 
contracting function allows tiie choice of an iq>propriate value of the secondary mput, such 

25 that any value of the primary mput \K^ch suffidenfly resembles said original primary input 
value leads to the same output value. On the other hand, substantially different vahies of the 
primary irput lead to different values of the output. 

The measured value must be quantized into discrete values before it can be 
processed cryptogr^hically. As any measurement is likely to contain some noise, the 

30 outcome of the quantization may difBea: from e]q>eriment to experiment. In particular if a 

physical parameter takes on a vahie close to a quantization tiuesthold, minor amounts of noise 
can change flie outcome. After applying flie quantized data to a cryptogr^hic fiinction, minor 
changes will be magnified and the outcome will bear no resemblance to tiie cjcpected 
outcome. This is fundamentally a necessary property of cryptographic fimctions. 
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The delta-contracting ftinction enhances the reliability of the obtained 
cryptographic data because an appropriate choice for the helper data can bie made to ad^t the 
cryptogr^hic data for a particular carrier that lie too close to a quantization threshold. It is 
now possible to use measurements from naturally occurring aberrations even if such 
measurements would have a low reliability. 

Intemational patent application WO 00/51244 and the conesponding article 
«*A Fuzzy Commitment Scheme" by Ari Juels and Martin Wattenberg, published in 
G. Tsudik, ed., Sixth ACM Conference on Computer and Communications Security, pages 
28-36, ACM Press, 1999, both disclose a so-called fiizzy commitment scheme which 
authenticates a p^son based on a measured biometric value that is close, but not necessarily 
identical to a reference value. The scheme prevents an atiacker iBcom learning anything about 
the reference value. The article only describes biometric applications of Ihe scheme and does 
not disclose, hint or suggest ^}plying the scheme for copy protection, let alone for wobble- 
based authentication of storage media. 

Various advantageous embodiments are set out in the dependent claims. 

It is a further object to provide a device according to the preamble, which is 
able to tolerate small deviations in the measured value of the property of the storage medium. 

This otgect is achieved according to the invention in a device arranged for 
granting access to content on a storage medium, comprising first reading means for obtaining 
cryptogrq)hic data fiom a fooperty of the storage medium, second reading means for reading 
helper data fiom the storage medium, and access control means for granting the access based 
on an ^application of a delta-contracting function to the cryptographic data and the helper 
data. 



These and other aspects of the invention will be apparent from and elucidated 
with reference to the embodiments shown in the drawings, in which: 

Fig. 1 schematically shows a sfystem comprising a storage medium and a host 
apparatus in accordance with tiie invention; 

Fig. 2 schematically illustrates an authorization process; 

Fig. 3 schematically illustrates an CTibodiment of a delta-contracting function; 

Fig. 4 schematically illustrates an audio playback ^paratus con^rising the 
host iqpparatus. 
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Throughout fhe figures, same reference numerals indicate similar or 
corresponding features. Some of fhe features indicated in fhe drawingis are typically 
implemented in software, and as such represent software entities, such as software modules 
S or objects. 

Fig. 1 schematically shows a system 100 comprising a storage medium 101 
and a host apparatus 110 in accordance with the invention. The host £q>paratus 110 con^ses 
areceptacle 111 in which a user can place fhe storage medium 101, aread module 112 for 
reading data ftom fhe storage medium 101, various proc^sing means 1 13-1 17 for processing 

10 content read fiom Ifae storage medium 101 and for feeding the processed content data to an 
' output 119, and a user input module 118 using which the user can control operation of the 
host apparatus 110. The host apparatus 110 also comprises a control module 120, whose 
workings are discussed below. 

In Fig. 1, the host apparatus 1 10 is embodied as an optical disc drive, for 

15 example a Compact Disc (CD) or Digital Versatile Disc (DVD) reader. The apparatus 1 10 
could however also easily be embodied as a floppy disc drive or as a reader for storage media 
such as removable hard disks, smart cards, flash memories and so on. The system 100 of 
which I3ie host apparatus 1 10 is a part can be fer instance a Compact Disc player and/or 
recorder, a Digital Versatile Disc and/or player/recorder, a personal computer, a television or 

20 radio system, and so on. Fig. 4 schematically illustrates an audio playback apparatus 400 

comprising fhe host apparatus 110. The apparatus 400 is arranged to play back and/or make a 
recording of fhe content on fhe storage medium 101 only if appropriate access is granted by 
fhe host apparatus 110. For example, if the host apparatus 1 10 only grants read access, lSxe 
apparatus 400 will make no recording or copy of the content. 

25 After fhe user places the storage medium 1 01 in the receptacle 111, fhe read 

module 1 12 is activated. This activation can be automatic or be in response to a user 
activation of the user input module 118, for example by pressing a button. It is assumed that 
authorization is needed for access to content recorded on fhe storage medium 101, for 
example to allow fhe content to be read out, played back, processed or copied. To establish 

30 whether access is authorized, fhe read module 1 12 now reads cryptogr^hic data from fhe 
storage medium 101 and feeds this cryptogr^hic data to fhe control module 120. 

The control module 120 receives fhe oyptogr^hic data and attempts to 
authorize fhe access based on this data. Possibly this attempt also involves cryptogr^hic data 
stored in fhe host apparatus 1 10 or cryptographic data supplied by fhe system 100. If this 
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aufhorization cannot be established, the control module 120 indicates an error status, for 
example by supplying an error signal to the output 1 19 or by activating a LED on the front 
panel of the host apparatus 110. 

If authorization is established, the read module 1 12 reads the content data from 
5 tiie storage medium 101 and feeds it to the processing means 1 13-1 17. It is possible that 
different reading means are necessary for reading the cryptographic data and for reading the 
content data, depending of the nature in which the cryptographic data is stored. The output of 
the processing means 1 13-1 17 goes to the ou^t 1 19, from which the content can be read by 
other components of the system 100 (e.g. by rendering it as a movie, or generating audio 

10 signals to be rendered on loudspeakers). It may be desirable to jQrst let the host apparatus 1 10 
establish that it is installed in a compliant system 100. This is esfpecially important when the 
output 1 19 is a digital output If the compliance of the system 100 cannot be established, no 
content should be presented on the output 119. 

The host apparatus 110 can be equipped with a great variety of processing 

IS means. In the exemplary embodiment of Fig. 1, the processing means comprise a decryption 
module 1 13, a watermark detection module 1 14, a conditional access module 1 IS, a signal 
processing module 116, and a bus encryption module 1 17. 

Firsl^ the content as it is read from the storage medium 101 is decrypted by the 
decryption module 1 13 using a decryption key supplied by the control module 120. The 

20 watermark detection module 1 14 processes the decrypted content data to frad a watermaik 
with embedded data contained therein. The watermark could coniprise, for exaniple, digital 
rights management data, an identification of the content owner or a reference to the storage 
carrier. 

The conditional access module 1 IS is arranged to regulate access to the 
25 content data. It could be programmed to enforce a strict no-copying regime, or to not allow 
the content to be fed to a digital output. In that case, the conditional access module 1 1 S 
signals to the signal processing module 1 16 that only analog signals are to be generated and 
fed to the output 119. The conditional access module 115 could also be programmed to 
switch on (Macrovision or otiier) copy protection mechanisms in the signals to be fed to the 
30 analog oulput 1 19. The conditional access module 115 could also be programmed to embed a 
particular type of watermark in the signals to be fed to the output 1 19. The conditional access 
module 115 could also be progransmed to switoh on encryption of a particular type in the 
signals to be fed to a digital output 119. 
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The signal processing module 1 16 is responsible for transforming the content 
data into signals that can be presented on the output 119- This comprises for example 
generating analog audio and/or video signals, but could also comprise embedding watenhark 
data into signals, filtering out particular portions of the content, generating a trick play 
version of the content and so on. The exact signal processing or transformation operations to 
be performed depend on e.g. the type of conteni; digital rights managCTient data embedded in 
the content^ output of Ifae conditional access module 115, and so on. 

The bus enoyption module 1 17 encrypts the audio and/or video signals to be 
presented on the output 1 19. For example, the host apparatus 110 could engage in an 
authentication protocol with another coniponent of the system 100. As a result of this 
authentication protocol the host apparatus 110 and flie other component share a secret key. 
The content can now be encrypted with flie secret key and be presented on the output 1 19 in 
encrypted form. This way, other components that can read firom the output 119 (for example 
by listening on the bus to which the output 119 is connected) caimot gain access to the 
content 

It is important to note that the processing modules 113-1 17 are all comtponents 
of the host ^aiatus 1 10 that may be implemented in whole or in part in software. It is not 
necessary to always use all of these modules 113-117. Flexible configuration and control of 
these modules 113-1 17 can be achieved by using tiie approach described in European patent 
qyplication serial number 02077406.3 (attorney docket PHNL020S49) to the same assignee 
as the present application. 

The cryptographic data is encoded on the storage medium 101 as variations 
102 in a physical paramet^ of the storage medium, said variations exhibiting a modulation 
pattem representing the cryptographic data. Such a physical parameter of a storage medium is 
sometimes referred to as a "wobble" on the storage medium. Reference is made to US patent 
5^724,327 (attorney docket PHN 13922) to the same assignee as the present invention which 
describes various techniques to create such a "wobble" and to store information in it Of 
course naturally occurring variations in said physical parameter can also be used as the seed. 

Preferably the cryptogrs^hic data is represented as a pattem of optically 
detectable marks alternating with intermediate areas arranged along said track thereof. These 
variations 102 preferably are variations in the track position in a direction transverse to tiie 
track directiooL 

In another embodiment the storage medium 101, having information marks 
along a track thereoj^ exhibits first variations caused by existence and non-existence of the 
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information marks along the track, which &st variations represent an information signal 
recorded on the record carrier, and second variations caused by variations associated with llie 
track, which second variations exhibit a modulation pattern representing a code. 

Other options for obtaining the cryptogr^hic data are also possible. Reference 

5 is made to a paper by R. P£q[>u, B. Recht, J. Taylor and N. Gerhenfeld, Physical one-way 
functions". Science, Vol. 297, 20 Sept. 2002, pp. 2026*2030. Disordered, scattering media 
are exdted by a laser beam, and the resulting light pattern is measured. Such media could be 
used somewhere on the surGace or embedded in an optical disc. The measured light pattern 
then serves as the cryptographic data. For this method it is also well recognized that 

10 reliability needs to be enhanced. 

The read module 1 12 now reads out tiiese variations 102 in a physical 
parameter of the storage medium, and reconstracts the cryptographic data, which is then 
supplied to the control module 120. M^surement of the variations in the physical parameter 
usually requires a special circuit, for instance connected to the servo control loop of the 

1 5 optical pick-up of the disc. The measured variations may comprise the cryptographic data 
with additional data, for example a Cyclic Redundancy Check (CRC) to comqpensate for 
small errors in the measurement Hie cryptographic data may be stored in a compressed or 
otherwise encoded &shion. It may thus be necessary to decompress, decode or otherwise 
process the measured variations before the cryptographic data is available in usable form. If 

20 tiiese variations have to be augmented or processed olherwise before they can be used for 
other purposes, then the processed variations represent the cryptogr^hic data. 

It is observed that the physical parameter does not have to be chosen such that 
it can be reliably measured. Natural aberrations that occur in the pressing process of 
recordable CD or DVD discs can be used as parameter. This will be explained in more detail 

25 below. 

The read module 1 12 also reads helper data from the storage medium 101. 
This helper data can be recorded on the storage medium 101 in an ordinary fashion, for 
example as a data track on a CD, or in a special sector of the medium 101. It could 
conceivably also be embedded in the content recorded on the storage medium 101 e.g. using 
30 a watermark. 

The authorization process in the control module 120 based on which access is 
granted to tiie storage medium 101 is based on an application of a delta-contracting function 
to tile cryptographic data and the helper data. To discuss this application, first some notation 
is discussed. 
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• Y: the cryptographic data, as obtained by measuring the value of the physical parameter 
of the storage medium 101 . 

• W: the helper data read from the storaige medium 101 . 

• V: a control value. 

5 • GQ: the delta-contracting function. 

• FQ: a cryptogr^hic function, prefi^ably a one-way hash fimction in the strict sense, but 
any cryptographic function can be used if it can achieve the desired cryptographic 
properties, for example a keyed one-way hash function, a trapdoor hash fimction, an 
asymmetric decryption function or even a symmetric encryption fimction. 

10 The authorization process, illustrated in Fig. 2, now proceeds as follows. The 

cryptographic data Y and the helper data W are both obtained as described above and fed to 
contracting module 205. Here the delta-contracting function GQ is applied to the 
cryptographic data Y and the helper data W : 

Z = G(Y,W) 

1 S The cryptogrq>hic function FQ* for example one of the well-known 

cryptogrsqphic one-way hash functions SHA-1, MDS, RIPE-MD, HAVAL or SNERFU, is 
dpphed to the output of the delta-contracting fimction GQ in hashing module 206: 

U = F(Z) = F(G(Y,W)) 
The output U of the function FQ is compared in comparator 207 a^inst a 
20 control value V. If U matches V, aulhorization is granted, otherwise no authorization is 

granted. The control value V can be present on the storage medium 101 just like the helper 
value W, or be obtained throu^ another path. For example, it could be stored on a smart 
card, on a Chip-In-Disc afSxed to the storage medium (see e.g. international patent 
application WO 02/17316 (attorney docket PHNL010233) by the same s^jplicant as the 
25 present application) or be obtained by contacting an external server. 

The control value V is computed beforehand, for example during production 
of the storage medium 101 or when recording tiie content on the storage medium 101. The 
physical parameter is read out to obtain a value X. The value V is coniputed as the output of 
an ^plication of the hash function FQ to some secret value S chosen (pseudo-)randomly: 
30 V = F(S) 

The secret value S is also used to determine the helper value W. W is 
calculated such that G(X, W) equals S. In practice this means that GQ allows &e calculation 
of an inverse W = G'^(X, S). 
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As e7q)lained above, for any arbitrary primary input value, the delta- 
ccmtraotiBg fimction GQ allows the choice of an appropriate value of the secondary input, 
such that any value of the primary icqput which sufficiently resembles said original primary 
hspxA value leads to the same ou^ut value. On the other hand, substantially different values 
of the primary ii^ut lead to different values of the ou^ut. 

A highly deshable, but for the purpose of the invention not strictly necessary 
property is that of "epsilon revealing". This property addresses the situation that a dishonest 
verifier sees onl^ the value of the secondary input of the function, but not the primary input. 
In this case, the verifier should learn little (say, not more than epsilon) about the output value. 
A typical example of such an attack is a disc drive modified by a hacker that attempts to get 
data firom an illegally copied disc, without the cryptographic data Y. 

As a first embodiment, the secondary input can be chosen as an exhaustive list 
of aU possible primary input values and their corresponding output value, A second 
embodiment uses a function which subtracts the secondary input firom the primary input and 
rounds the result to the nearest integer, or which maps the result of the subtraction to the 
nearest point on a given geometrical lattice (see the above-referenced p^er by Juels and 
Wattenberg). 

In another embodiment, the primary input Y is assumed to be a vector of 
values. The secondary input is a vector W which contains information about which entries of 
Y contain large* values that do not cause ambiguity if these would be quantized into a 
discrete value. This Z = W ♦ sign(Y), where * is an entry-by-entry multiplication, and vector 
W contains 0 and 1 values. The function sign(Y) returns -1 if Y is negative, +1 if Y is 
positive and 0 if Y equals 0. The resulting vector thus contains -1, 0, and Is. 

In another embodiment, G(W,Y) applies an error correction scheme. Y is 
quantized into discrete values. W contains redundancy. As an example here, consider a 
Hamming(7,4) code that can correct one error. In this example of a (7,4) code, the lengtii of 
Yplus the length of W is 7, and the length of Y is 4. Hence W should be of length 3. Y 
contains 4 elements: Y = (yi, y2, ya, y4) and W contains 3 elements: W = (wi, W2, wa). During 
the enrollment, one defines 

• wi = sign(xi) © sign(x2) © sign(x3) 

• W2 = sign(xi) © sign(x2) © sign(x4) 

• W3 = sign(xi) © sign(x3) © sign(x4) 

The output Z contains 3 elements (zi, Z2, za). These are coiiq)uted as 
(zi, Z2, Z3) = G(sign(yi), sign(y2), sign(y3), sign(y4), wi, W2, W3) 
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where G is a decoding function, for instance as described in JB. Fraleigh, "A 
first code in Abstract Algebra", Addison Wesley, Reading, MA, 1993, 5* Ed. pl49-157. A 
nearest neighbor decoder investigates the 7-bit string 

signal), sign(y2), sign(y3), sign(y4), wi, W2, ws 
5 If the string does not satisfy the condition 

• wi = signal) ® signCy2) ® signCya), 

• W2 = sign(yi)® sign(y2)©sign(y4) and 

• W3 = sign(yi) © sign(y3) © sign^4), 

the decoder will attempt to flip one of the bits in the 7-bit string until either the modified 
10 string satisfies the above condition or all bits have been flipped without the modified string 
satisfying the condition. This function apparently is delta-contracting with delta equals 1 bit. 
The control value V is precalculated during the enrollment, as V = F(si, S2, S3). 

Altiioug^ tins function GQ is delta-contracting, i.e., it is insensitive to minor 
disturbances in Y, it has less &vocable properties in terms of hiding the value of Z if only W 
IS is known. In &ct, Ihe function is tinree-bit revealing: For a g^^ the uncertainty in Y is 
reduced fix>m 4 bits to 1 bit Nonetheless, for larger code words fliese properties can be made 
more&vorably,particularly if thentteofthe code is significantiy less than one half . In such 
case only a small number of redundancy bits W are offered to the verifier, relative to the 
nuniber of unknown bits in Y. Reference is made to the above-referenced paper by Juels and 
20 Wattenberg £>r a discussion on the use of coding. 

In yet another embodiment, the primary and secondary inputs are vectors of 
identical length: Y = (yi, ya, y3, . . .), W = (wi, W2, W3, . . -) and Z = (zi, Z2, 23, . . 0 For the /-th 
dimension of Y, W and Z, the delta-contracting function GQ is 

l)gr, for any n = ..,-1,0,1,.. 
»qr„ for any n = ..,-1,0,1,.. 

25 with q the step size. 

During enrollment, the i-th element of X (denoted as Xi) is measured. For W, a 
value of Wi must be coniputed such that the value of Xi+Wi is pushed to a value where jq + Wi 
+ 5 will be quantized to the same Zi fer any small 5. An secret value of S is chosen as a vector 
of the same length as Y, W and Z. For the i-th dimension of S, Wi and integer n are chosen 

30 such that, for the measured xu 



{1 if 2ng ^ + < (2n + ] 
0 if (2n-l)q < yi^^w^ < n 



i^n-^-^q-Xi if J;=l 
(2n-^)q-Xi ifSi=0 
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Here n = -1, 0, 1, 2, ... is chosen such that -ql2 < Wi < ql2. The value of n is 
discarded, but the values of w< are released as helper data W. The control value V is obtained 
directly from the secret S, as V = F(S), During aulhentication, the contracting module 205 
executes the delta-contracting fimction GO defined above to obtain Z. • 

From the embodiments presented thus far, one can recognize the existence of 
various classes of delta-contracting functions. In a versatile iinplementation the delta- 
contracting fimction can involve <me or more of the following operations, in which the he^er 
data W is split up into four parts Wi, W2, W3 and W4: 

- a (linear) nmtrixmultipUcation on tiie primary input vector Y (where W defines the 
matrix). 

- the linear addition of helper data W2, e. g. as Y + W2 (illustrated in the last mentioned 
embodiment). 

- a quantization, where W3 defines the quantization areas 

- error correction decoding, where W4 can for instance contain redundancy bits (illustrated 
as the Hamming(7,4) code, where the redundancy bits are taken directiy fix>m the helper 
data) 

Fig. 3 gives an example of the combination of all above operations. The delta 
contracting function GQ is split into a linear matrix operation H (over the real or complex 
numbers), the addition of helper data W2, a quantizec^slicer Q, and an error correction code 
(ECQblock. 

The operation H uses helper data Wi to produce output Yi which is ni bits 
long. The result of adding helper data W2 is output Y2, which is 712 bits long. Y2 is fed into 
quantizer/slicer Q which produces from Y2 and W3 an output Y3 also of lengfli n^. The ECC 
block calculates m reHable bits Z fix>m input Y3 and W4. The cryptographic function FQ 
hashes Z into U of length 724 bits. 

As the example embodiment of Ihe Hamming (7,4) code has shown, it has 
advantages in terms of information concealing properties, to refrain from using error 
correction redundancy bits in the helper data. That is, it is usefid to consider a sub-class of 
delta-contracting functions (redundancy-free delta-contracting functions) where the helper 
data is not inserted in Ihe form of redundant bits (e.g. CRC bits) in an error correctmg code. 
The redundant bits offered to the decoda: are generated in tiie same way from the primary 
and secondary input as the information bits, as opposed to using helper bits directiy as input 
to the error correction decoder. The redundancy-free delta-contracting function may 
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nonetheless contain error correction decoding. In Fig. 3 this would mean that signal W4 is 
not present 

It is possible to use the value Z as the basis for a deciyption key K for 
decrypting, in the decryption module 1 13, the encrypted content data ECDs^The value Z 
5 could be used as-is, or be processed e.g. by applying a hash function to it. However, the hash 
fimction F(Z) should not be used here, because then Ihe decryption key would be equal to tiie 
value V which is available in plain text Nonetheless, to conserve the complexily of a 
practical implementation, one may choose to use F(Z% where Z* is a minor modification of 
2^ e.g. by flipping one bit 

10 The decryption key K can be derived further fiom data supplied by the system 

100. For instance, the apparatus 400 in which the host apparatus 1 10 is installed may be 
programmed in the factory with a secret value that is concatenated to the derived decryption 
key to obtain the final decryption key necessary to decrypt the content The combination of 
the (processed or unprocessed) value Z and the data supplied by the sfystem could be fed to a 

1 S hash function to obtain the decryption key. 

The control module 120 can subsequently siqyply the decryption key to the 
decryption module 113, which can use it as described above to decrypt the contmt. This way, 
access to flie content is granted implicitly. If the wrong decryption key is obtained, 
decryption wiUfidl and no pr(q>er output can be obtained. In this case it is not necessary to 

20 obtain V and compare U against V, because it will be evident fix>m the output that decryption 
has&iled. 

Access can also be controlled even if no decryption keys need to be sillied. 
If the comparator 207 detects a difference between U and V, the control module 120 can 
suppress signals being presented on the output 1 19. In other words, regardless of the 
25 protection of the content itself if the data U and V do not noiatch, no access to Ihe content is 
granted. 

This last option makes it possible to use the present invention as a copy 
prevention scheme, for instance to retrofit a system that does not iavolve encryption. One 
example is the le^ home recording of downloaded audio to CD-R. The autiientication 
30 scheme of Fig. 2 can be applied in a new generation of players. The helper value W and the 
control value V are stored on an empty CD-R in the fectory. A recording apparatus stores 
content in the clear, to ensure compatibility with existing CD players. New players retrieve 
W and V firom the disc, execute the authentication, and play leg^y created CD-Rs but not 
illegal bit-copies of these. Such illegal bit-copies will also contain copies of the values W and 
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V, but because this new disc has a different wobble, the value Y on this new disc will lead to 
a value for U that differs from V. 



limit the invention, and that those skilled in the art will be able to design many altemative 
5 embodiments without departmg from the scope of the ap^ 



PHNL000303) by the same supplicant as the present application discloses storing data for 
copy protection and control on a storage medium in the ordinary &shion, whilst using an 
intentionally-made variation in a physical parameter of the storage medium to store a 
10 cryptogr^hic hash of said data. By verifying that a hash of Ifae stored data matches the 

measured value of the physical parameter iaccess to the storage medium can be regulated. By 
also storing helper data and using a delta-contracting function according to the present 
invention, the reliability of this verification is improved. 



IS construed as limiting the claim. The word "comprising" does not exclude the presence of 
elements or steps otiier than those listed in a claim. The word "a" or "an" preceding an 
element does not exclude the presence of a plurality of such elements. The invention can be 
]nq>lemented by means of hardware comprising several distinct elements, and by means of a 
suitably programmed computer. 

20 In the device claim enumerating several means, several of these means can be 

embodied by (xne and the same item of hardware. The mere fact that certain measures are 
recited in mutually dififerent dependent claims does not indicate that a combination of these 
measures cannot be used to advantage. 



It should be noted that the above-mentioned embodiments illustrate rather than 



For example, uitemational patent application WO 01/95327 (attorney docket 



In the claims, any reference signs placed between parentheses shall not be 
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CLAIMS: 



1 . A method of granting access to content on a storage medium (1 01), 
comprising obtaining cryptographic data 00 ^om a property (102) of the storage medium 
(101), reading helper data (W) from the storage medium (101), and granting the access based 
on an application of a delta-contracting function to the cryptographic data (Y).and the helper 

5 data(W). 

2. The method of claim 1, comprising deriving a deayption key (K) for 
decrypting the content at least firom the application of the delta-contracting function. 

10 3, The method of clahn 2, comprising deriving Ihe decryption key (K) furfher 

firom data suppliedby a playback or recording ^aratus (400). i 

4, The method of claim 1, in which the access is granted if the output of the 
delta-contracting function corresponds to a control value (V) recorded on the storage medium 

15 (101). 

5, The method of claim 4, comprising applying a cryptographic function to the 
output of the delta-contracting fbnction and coniparing the output of the cryptographic 
function to the control value (V). 

20 

6. The method of claim S, in which the cryptographic fimction is a one-way hash 
ftmction. 

7. The method of claim 1 , in which the delta-contracting function involves a 
25 combination of a matrix multiplication on the cryptographic data (Y), a linear addition of at 

least a portion of the helper data (W), a quantization in which the quantization areas are 
de£btied by a portion of the helper data (W), and error correction decoding. 
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8. 



A device (1 10) ananged for granting access to content on a storage medium 



(101), comprising jQrst reading means (1 12) for obtaining cryptographic data (Y) from a 
property (102) of thel storage medium (101), Second reading me&ns (1 12) for reading helper 
data (W) firom the storage medium (101), and access control means for granting the access 
5 based on an application of a delta-contracting function to the cryptographic data (Y) and the 
helper data (W). 

9. A playback md/or recording apparatus (400) comprising a device (101) as 

claimed in claim 8 and arranged to efifect the playback and/or recording if acc^ granted 
10 by the device (1 10). 



10. A computer program product arranged to cause a processor to execute the 

method of claim 1. 
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ABSTRACT: 



A method of and device (1 10) for granting access to content on a storage 
medium (101), coniprising obtaining cryptographic data (Y) from a property (102), such as a 
wobble, of the storage medium (101), readmg helper data (W) from the storage medium 
(101), and granting the access based on an application of a delta-contracting fimction to the 
5 cryptographic data (Y) and the helper data (W). The delta-contracting function allows the 
choice of an Q)prppriate value of the helper data (W), such that any value of the 
cryptographic data (Y) which sufBcientiy resembles said original jirimaiy input value leads to 
the same output value. Substantially different values of the cryptogr^hic data (Y) lead to 
different values of the ou^ut 

10 

Fig.2 
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